Monday, April 6, 2015

QRadar - Threat Intelligence on the Cheap - The Code

Ever thought of a way to get get threat intelligence information for your QRadar on the cheap. Here it is, I'm making your life and or job easier :-).Basically this script goes out to a few websites and download lists of suspected bad IPs and Domains. From this list I then compile one list for IPs and one for DNS. Once I have the above lists, I then create 2 reference sets in QRadar to import the data.Once the script runs for the first time, you will need to create your QRadar rules manually. This post addresses that issue.

P.S. Point to note is the quality of this list is dependent on the
people who are putting it out. I give no warranty or am I vouching for
the list. These IPs should be used as a starting point of your
investigation, not the ultimate decision as to whether something good or
bad has happened.

#!/usr/bin/env python# This is code is designed to download list of known bad IPs and domains# Once the lists have been downloaded, 2 reference sets are created# 1 for IPs and 1 for domains # Manual creation of QRadar rules are then done. These rules are then run against these # list to identify known bad IPs and Domain## SecurityNikThreatIntel.py v1.0# Author: Nik Alleyne, CISSP|GCIH|A < nikalleyne at gmail.com ># Date: 2015-02-25# Disclaimer: In no way am I responsible for any damages which you may # cause to your system by running this script.

if ( path.exists('/etc/system-release') and path.isfile('/etc/system-release') ): call(['cat', '/etc/system-release']) else: print('\n Looks like you are running Linux. ') print('\n However, I am unable to determine your version info. ')

print(' \n Looking for an installed version of QRadar') if ( path.exists(qRadar_path) and ( path.isdir(qRadar_path)) ): print(' \n looks like you are running QRadar version ... ') call([qRadar_ver]) print(' \n Good stuff ... \n Blast off =>>>>>>> ') else: print(' An installed version of QRadar was not found on your system ') print(' This script will not work for you, it was designed to be used on box running IBM QRadar ') print(' Exiting ... ') exit(0)

sleep(2) else: print(' Running this is a waste of your time. ') print(' This script is SPECIFICALLY for QRadar ') exit(0)

# Check to see if ip_tmp/ folder exists - This folder stores the files a the first download. # Basically this will determine if its the first time the script is being run if ( path.exists('.ip_tmp/') and (path.isdir('.ip_tmp/')) ): ip_path = '.ip_tmp_path/' else: ip_path = '.ip_tmp/'

# This fuction download the list of malicious and or suspected domains# DO NOT add entry to this list unless you are sure what you are doing# These files are in different formats, thus may need to be manipulated the files individually

if (rows[2].strip() != '0'): print(' Looks like reference set already exists \n ') else: print(' Reference Set %s not found ... %reference_set_name ') print(' Looks like we will have to create this bad boy ...')

try: call(['/opt/qradar/bin/ReferenceSetUtil.sh', 'create', reference_set_name , 'IP']) print(' Successfully created reference set %s \n ' %reference_set_name ) #print(' Looks like that went well ... ' ) except: #This does not catch any java exception that may be created print(' Error occurred while creating reference set %s ' %reference_set) print(' You may create the reference set %s manually if needed ' %reference_set_name ) exit(0)

#print(' Looks like that went well ... ' ) except: # This does not catch any java exception that may be created print(' Error occurred while creating reference set %s ' %reference_set) print(' You may create the reference set %s manually if needed ' %reference_set_name ) exit(0)

I had a hard time getting the reference set to load. I found that Qradar doesn't like ':' and ';' in the text file. Also I pulled out the xn-- items until I can figure out if I need to use the Punycode or straight UTF in my environment.

Tom,What version are you running. I wonder how many people besides me managed to get this script working without any issues. I see the response for those who are having issues but have no idea about the people who have this working, even though this seems to be a popular post

It is version 7.2.4. The IP download and update works wonderfully. For whatever reason, the DNS blacklist was failing so I looked at the text list. Once I removed any of the ; and : and the encoded DNS entries, the list imported fine. Just weird. I started to look at the ReferenceDataUtil.sh but it just calls java and a referencedata Class. That is outside my abilities. At some point, I'll hunt down the website that has the misconfigured download and edit the script. The work to gather the data and the framework to update Qradar is there. I can comment out the DNS blacklist upload until I figure it out. Glad that you posted this. Its been a huge help!

Below is a list of threat intelligence websites that you can use. Cymon.io is an excellent one as it searches around 200 different sources. If you’re looking for a more exhaustive list of threat intel sites, check out https://github.com/rshipp/awesome-malware-analysis